Firewall

cFos
' firewall analyzes incoming and outgoing packets, blocking potentially dangerous ones. Thus, it can shield you from a some
basic security risks encountered in today's network environment, but it is no substitute for "real" firewall software like
Zonelabs' Zonealarm, Agnitum Output, Kerio Personal Firewall, Symantec's Nortan Personal Firewall, to name a few.

How does it work?

cFos
checks your PPP data transfer and blocks all packets using an unknown protocol type (i.e., everything that's not IP or VJ-compressed
TCP/IP). What's more,
cFos
also screens your IP traffic for ICMP messages, which can may prove dangerous in a number of ways. External PING packets,
for instance, can be employed in so-called Denial-of-Service (DoS) attacks under ADSL. In addition, all TCP & UDP packets
sent to or from certain ports are blocked. The exact port numbers can be viewed and modified in SETTINGS.INI. Look for the
lines with "-tcp-dport" and "-udp-dport" in them.

If there is an unauthorized access attempt, you will be alerted to it by a red shield flashing on the bottom left of the
cFos status display
.

Arguably, every firewall's primary task is to close all NetBIOS ports, which provide the "bad guys" with a virtual "barn
door" through which they can access your shared files and directories. Those ports are numbered 137-139. Ports 135 and 445
are blocked, too, which are used by a multitude of intrusions.

Therefore, if you're not running a server that needs to be accessible from the Internet, the default settings are a good
choice. If you do run such a server, it should still be ok. If not, you can adjust the firewall to your needs or you can
switch to a full-featured firewall product.

More technical background on the
cFos
Firewall Experience shows you should expect the first port scans from potential attackers seeking to take a look at your
computer after spending just minutes online. This holds almost equally true for ADSL and ISDN even if you are taking full
advantage of having your IP address dynamically assigned. There are simply too many programs available on the Net that are
designed to scan computers online for potential security gaps.

To complicate matters further, each operating system comes with its own bag of security gaps:

For instance, NetBIOS ports present one big problem under Windows 9x/ME and NT/2000/XP, as attackers can not only use NetBIOS
to check user and computer names but also to find out if file sharing has been activated. If that is the case, certain programs
can be used to try all standard passwords within a matter of seconds (especially on ADSL). Chances of gaining access to local
directories in this fashion are in fact so high that security experts refer to NetBIOS ports as a "barn door." But the default
setting of the
cFos
Firewall bars access to these ports.

Another major risk when using ADSL arises from the fact that data can be downloaded faster from the Net than a local computer
can send it back (i.e., upload). This transfer-rate differential can be abused to launch so-called Denial-of-Service attacks
by preventing a local computer from returning echo requests (wake-up packets), which Telekom broadband nodes require to maintain
a connection. This will eventually result in complete connection breakdown. For this reason,
cFos
blocks all potentially dangerous ICMP packets.

On top of that, the firewall continues to keep track of the TCP connection status, thereby allowing
cFos
to perform dynamic "port stealthing." This means that if someone was trying to connect to your computer, but the targeted
port was not in listen mode, the remote party would not receive an RST segment. In other words, the attacker would not even
know your computer existed. Only if the targeted port was in listen mode (e.g., because you are running a Net server), would
such incoming connections be accepted and reciprocated.

The same principle applies for UDP ports. If a remote party tried to connect to one of your UDP ports not currently in listen
mode, it would receive no feedback whatsoever rendering the targeted port effectively "invisible."

The main advantage of this approach is that hackers won't be able to tell whether the address is in use or if you are just
not answering. At the very least, your PC will no longer be easy prey for malicious attackers.

To activate the
cFos
Firewall, the "S89" modem register needs to be set. Its value (-x89=...) can also be entered during
cFos
startup as a global parameter, which then applies to all your COM ports and
cFos
Modems.

The firewall provides users with some protection against attacks from the outside. However, there are a number of threats
to data integrity and system security our firewall cannot cover. So-called Trojan horse programs, for instance, install themselves
surreptitiously on a target computer, then try to uncover personal data and relay it to a remote party. Employers may also
wish to prevent employees from sending sensitive corporate data to third parties. Anyone with such high security needs would
be well-advised to have a full-fledged professional firewall installed. However, the firewall does not help at all against
all exploits of your web-browser or other high-level software.

Still, our firewall offers good protection against most external attacks without forcing users to install more expensive
software or dwell excessively on intricately complicated security questions. This added security is included for free with
each delivery of
cFos
, which is particularly handy seeing how flat rates are growing more and more popular all the time.
cFos
is furthermore fully capable of complementing other firewall software as part of a multi-layered security protection system
for your PC.

Got it
We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share
information about your use of our site with our social media, advertising and analytics partners.
See details

Close [X]

Translation settings

Highlight mode for untranslated text
Light
Strong

View translations
Approved only
All (recent modifications by other translators)